Windows is concidered large operating system.
comperd to light OS's like DSL (Damn Small Linux) windows size (over 6GB in Vista, 1.3GB in xp) is pretty big, that is mainly (but not only) because Microsoft cramped inside windows as much (basic) utilities as they could to let the user work "out of the box" without the need for 3rd parties, such as web browser, basic notepad, painter, file manager etc.
one of those tools is the EFS, or, Enchrypted Files System.
What is Enchrypted File System?
EFS is, just as it name may apply, a tool to allow users enchrypting files, making them unreadable by other people
How does it work?
Long time ego, during the second world war, germany had the need of sending messages to its sub commanders to lunch timed attacks, problem was - the british/franch/us forces were listening to all of the lines of communication and any transmition to the subs would've reveal where the subs are and when will the subs attack and where.
the german intelligence then invented theEnigma, without going into details, it was a basic encription machine that had levers putted in different placed (creating something similar to a "code") and used it to modify the input recieved by it thus making the data unreadable unless you put the levers on the same places (producing the same "code") and punch in the chrypted message in order to dechrypt it.
it may have been a basic machine, with several flaws, but it did lay down the basics for most future chrypting algorithems.
on EFS, the idea is basically remains the same, each file is enchrypted in a symetric key (a long code which is used for encrypting the file, and if you'll use the same key to "encrypt" the file again - it'll be decrypt), and then each key is crypted with assymetric key (unlike symetric, you can't use this key to decrypt the symetric key), the reason why this is done is because using asymetric key to encrypt files is slow process so its more logical to do do so on "2048" bytes (thats 2048 characters of code length) then on this 1GB file, the assymetric key is derived from your password and will change whenever you change your password, so periodicly changing your password will make sure its even harder to hack into your encrypted files.
Which Windows versions can I use to encrypt files using EFS?EFS is supported starting windows 2000, however only starting windows XP and so on you can allow different users to access the encrypted data and means for data recovery also exist in windows XP and later versions only
EFS is NOT supported in any of the "home" editions (xp home, vista basic and vista home premium)
How to Enable EFS on windows (important prerequisits)
EFS is enabled by default, but the first thing we MUST do is designate a user that can act as data recovery user, in case our password is beeing reset, forgotten, user profile is deleted etc.
so to do that - login as the data recovery user (preferably "administrator"), open up CMD and punch in the next command:
cipher /R:EFS
this command will create 2 files:
efs.cer - which is the administrator certificate (the profe he is "administrator" and not some other user)
efs.pfx - the private key of the administrator, the "code" that he uses to encrypt files with, anyone having this file can impersonate him, so don't leave this file on the computer, copy it on removable storage and lock it away (it will become handy if the administrator user is deleted among other hazards that may make your data unavailable).
you'll need to punch in a password to protect the PFX, make sure to remember that one or it'll be useless
ok, after we got those 2 files, lets make sure our administrator can actually access any ecrypted file on the system.
go to start --> run, write in "secpol.msc"
on the screen you get, go to "public key policies" --> "encrypted file system", right click on that one and select "add data recovery agent. click "next", find the CER file, next, finish.
no right click --> properties on the new certificate you see on the right side of the screen. select "enable only the folowing purposes" and mark "file recovery"
congratulations - now you can fix things up in case they are screwed up.
How to Use EFS on windows.
this is quite easy actually, once the recovery agent is set up (or a "no recovery agent needed" policy is set up, but I wont explain how to do so as its idiotic and dangerous) all you have to do is right click --> properties" on a file or folder, select "advanced" and mark "encrypt content to secure data".
.gif)
congretulations, your first file is now encrypted and your user (and the data recovery user) is the only one able to access it.
you may notice the file became green, that is the mark of encryption.
if you wish to add different users to be able to read the encrypted file, simply go back to properties --> advanced, no the "details" button is no longer grayed out, click it and you'll recieve the next screen:
you can see your username at the top ("all"), where you can add more users, and the data recovery user ("administrator") at the buttom.note - if you want to add a user, you should add its CER file (like we did with the user "administrator" in the beginning) and not only punch in its name.
Thats all there is to it actually (from a user point of view, that is)
please note that:
- file can be encrypted on NTFS volums only, it can't work on FAT32
- if you encrypt file on NTFS volume and copy it to FAT32 partition, the file will be decrypted and anyone can access it
- same things goes for copying encrypted file to a NT4 based machine
This blog have been moved to http://ponline-space.net/
hope to see you there!
No comments:
Post a Comment